Policy
Deny write access to removable drives not protected by BitLocker
Windows 11 25H2
Policy overview
Key metadata and intent for this policy.
Supported OS tags: Windows10, Windows10RT, Windows11, Windows7, Windows8, Windows81, WindowsRT, WindowsRT81, WindowsServer2008, WindowsServer2012, WindowsServer2012R2, WindowsServer2016
This policy setting configures whether BitLocker protection is required for a computer to be able to write data to a removable data drive. If you enable this policy setting, all removable data drives that are not BitLocker-protected will be mounted as read-only. If the drive is protected by BitLocker, it will be mounted with read and write access. If the "Deny write access to devices configured in another organization" option is selected, only drives with identification fields matching the computer's identification fields will be given write access. When a removable data drive is accessed it will be checked for valid identification field and allowed identification fields. These fields are defined by the "Provide the unique identifiers for your organization" policy setting. If you disable or do not configure this policy setting, all removable data drives on the computer will be mounted with read and write access. Note: This policy setting can be overridden by the policy settings under User Configuration\Administrative Templates\System\Removable Storage Access. If the "Removable Disks: Deny write access" policy setting is enabled this policy setting will be ignored.
Registry values
How enabled and disabled states update the registry.
| Registry location | Type | Enabled value | Disabled value |
|---|---|---|---|
| HKLM\System\CurrentControlSet\Policies\Microsoft\FVE\RDVDenyWriteAccess | REG_DWORD | 1 | 0 |
Policy elements
Inputs and configuration options exposed by this policy.
| Element | Type | Registry mapping | Constraints & behavior |
|---|---|---|---|
Do not allow write access to devices configured in another organization ID RDVCrossOrg | boolean | HKLM\Software\Policies\Microsoft\FVE\RDVDenyCrossOrg Type REG_DWORD | Options: true (1), false (0) True: Set value = 1 · False: Set value = 0 |
Other policies in this category
Explore related policies at the same level.
- ComputerAllow access to BitLocker-protected removable data drives from earlier versions of WindowsAt least Windows Server 2008 R2 or Windows 7 through Windows Server 2022 or Windows 11 Version 22H2
- ComputerChoose how BitLocker-protected removable drives can be recoveredAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure use of hardware-based encryption for removable data drivesAt least Windows Server 2012 or Windows 8
- ComputerConfigure use of passwords for removable data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerConfigure use of smart cards on removable data drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerControl use of BitLocker on removable drivesAt least Windows Server 2008 R2 or Windows 7
- ComputerEnforce drive encryption type on removable data drivesAt least Windows Server 2012 or Windows 8